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Abstract 

Root extraction is a classical problem in computers algebra. It plays an essential 
role in cryptosystems based on elliptic curves. In 2006, Barreto and Voloch proposed 
an algorithm to compute rth roots in F q m for certain choices of m and q. If r \ \ q — 
1 and (m,r) = 1, they proved that the complexity of their method is 0(r(logro + 
log log q) m log q). In this paper, we extend the Barreto-Voloch algorithm to the general 
case that r || q m — 1, without the restrictions r || q — 1 and (m,r) = 1. We also specify 
the conditions that the Barreto-Voloch algorithm can be preferably applied. 
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1 Introduction 

Consider the problem to find a solution to X r = 5 in F q m, where q = p d for some prime p 
and some integer d > 0. Clearly, it suffices to consider the following two cases: 



;i) (r,<T-l) = l, (2)r\q m -l 



Root extraction is a classical problem in computational algebra and number theory. It 
plays an essential role in cryptosystems based on elliptic curves. The typical applications of 
root extraction are point compression in elliptic curves and operation of hashing onto elliptic 
curves PUS]. 



I 



Adleman, Manders and Miller [T| proposed a method to solve the problem, which extends 
Tonelli-Shanks [TO] square root algorithm. The basic idea of Adleman-Manders-Miller rth 
root extraction in F q can be described as follows. If r\q — 1, we write p — 1 in the form r* • s, 
where (s,r) = 1. Given a rth residue 5, we have (S s ) r = 1. Since (s,r) = 1, it is easy to 
find the least nonnegative integer a such that s\ra — 1. Hence, (5 ra ) = 1. If t — 1 = 0, 
then 8 a is a rth root of 5. Prom now on, we assume that t > 2. Given a rth non-residue 
p 6 F q , we have 

(pT^ 1 + (P s r rt " where i + j, i, j e {0, 1, • • • , r - 1} 

Set -ftTj = (p s ) t r and X = {-Ko> ■ * * 5 ^r— i}- It is easy to find that all -?Q satisfy X r = 1. 
Since ( (<5' ra ) J = 1, there is a unique j\ € {0, 1, r— 1} such that (5 ra ) = K r _j 1 
(where if r = K )- Hence, (d™- 1 )^ 2 K h = 1. That is 

Likewise, there is a unique j% E {0, 1, • • • , r — 1} such that 

(V - 1 )^ 3 ( P s ) ji - rt ~ 2 {p 3 )^' 1 = i 

Consequently, we obtain ji, • • • , jt-i such that 

(V - 1 ) (p 5 )^-" (p s f 2 ' r2 • • • (p 5 )^ 1 ^" 1 = 1 

Thus, we have 

It means that 5 a (p s )- ?1+ - ?2 ' r+ '■ ?t ~ 1 ' r i s a r th root of 5. The complexity of Adleman-Manders- 
Miller rth root extraction algorithm is C(log 4 g + rlog 3 g). Notice that the algorithm can not 
run in polynomial time if r is sufficiently large. 

In 2006, Barreto and Voloch [2] proposed an algorithm to compute rth roots in F q m for 
certain choices of m and q. If r || q — 1 and (m, r) = 1, where the notation a b \\c means that 
a b is the highest power of a dividing c, they proved that the complexity of their method is 
0(r(log?n + log logg)mlog q). 

Our contributions. We extend the Barreto- Voloch root extraction method to the general 
case that r || q m — 1, without the restrictions r || q — 1 and (m,r) = 1. We also specify the 
conditions that the Barreto- Voloch algorithm can be preferably applied. 
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2 Barreto-Voloch method 



Barreto-Voloch method takes advantage of the periodic structure of v written in base q to 
compute rth roots in F q ™., where v = r~ l (modq m — 1) if (r,q m — 1) = 1. This advantage is 
based on the following fact [2]: 

Fact 1. Let F q m be a finite field of characteristic p and let s be a power of p. Define the 
map 

cf> n : F qm ^F qm ,y^ y i+«+~+* n for n G N* 

We can compute <p n {y) with O(logra) multiplications and raisings to powers of p. 

Notice that raising to powers of p has negligible cost, if we use a normal basis for 
F q m/F q . Since it only requires O(logn) multiplications and raisings to powers of p to com- 
pute y 1+sH ]rS , where p is the characteristic of F q ™ and s is a power of p, their method 
becomes more efficient for certain choices of m and q. They obtained the following results 
L2J- 

Lemma 1. Given q and r with (q(q — l),r) = 1, let k > 1 be the order of q modulo r. For 
any m > 0, (m, k) = 1, let u,l < u < r satisfy u(q m — 1) = —1 (modr) and v = \_q m u/r\ . 
Then rv = 1 (modg m — 1). In addition, v = a + bJ^jZo Q^ k \ o,,b < q 2k ,n = [m/kj . 

Theorem 1. Let q be a prime power, let r > 1 be such that (q(q — 1), r) = 1 and let k > 1 
be the order of q modulo r. For any m > 0, (m, k) = 1, the complexity of taking rth roots in 
F q m is C((log m + r log q)m log q) . 

Lemma 2. Given q and r with r \ (q — 1) and ((q — l)/r,r) = 1, for any m > 0, (m,r) = 1, 
let u,l < u < r satisfy u{q m — l)/r = —1 (modr) and v = \q m u/r~\ . Then rv = 1 (mod {q m — 
l)/r 2 ). In addition, v = a + &X)j=o 1^ > a ^ < q 2r ,n = \m/r\ . 

Theorem 2. Let q be a prime power and let r > 1 be such that r \ (q — 1) and ((q — l)/r, r) = 
1. For any m > 0, (m,r) = 1, given x £ F q m one can compute the rth root of x in F q m, or 
show it does not exist, in C(r(logm + loglogg)mlogg) steps. 
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3 Analysis of Barreto-Voloch method 



3.1 On the conditions of Barreto-Voloch method 

In Theorem 1, it requires that 

(q(q — 1), r) = 1 and (m, k) = 1 

where k > 1 is the order of q modulo r. These conditions imply (q m — l,r) = 1. But these 
are not necessary to the general case. Likewise, in Theorem 2, it requires that 

r 1 1 q — 1 and (m, r) = 1 

These imply r || g m — 1. But these are not necessary, too. We will remove the restrictions 
and investigate the following cases: 

(1) (r,p m - 1) = 1; (2)r||p m -l. 
where p is a prime. As for the general case, p m — 1 = r a s, a > 2, (r, s) = 1, we refer to pQ. 

3.2 On the technique of periodic structure 

As we mentioned before, Barreto-Voloch method takes advantage of the periodic structure 
of v written in base q. Precisely, in Lemma 1 

n-l 

v = a + <l jk ,a,b < q 2k ,n = [m/k\ (1) 
j=o 

where k > 1 is the order of q modulo r. From the expression, we know it requires that 
n = [_m/k\ > 1. It is easy to find that the advantage of Barreto-Voloch method due to the 
periodic expansion in base q requires that m is much greater than k. That is, the length of 
such periodic expansion, n, should be as large as possible. 

Since raising to a power of p is a linear bijection in characteristic p, the complexity of such 
operation is no larger than that of multiplication, namely, 0(mlogp) using FFT techniques 
[51 EH E]. In light of that q = p d for some prime p, it is better to write v as 

n'-l 

v = a ' + b'J2 V 1 *' , a', y < P 2k ' , n' = \md/k'\ (2) 

j=0 

where k' is the order of p modulo r. That is, the periodic expansion in base p could produce 
a large expansion length, instead of the original periodic expansion in base q. This claim is 
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directly based on the following fact 

n' = lmd/k'\ > [md/kd] = n (3) 
(This is because k' \ kd. See the definitions of k, k'.) 

4 Extension of Barreto-Voloch method 

4.1 Taking rth roots when r is invertible 

We first discuss the problem to take rth roots over F p m if (r,p m — 1) = 1, where p is a prime. 

Lemma 3. Suppose that (p m — 1, r) = 1. Let k be the order ofp modulo r. Let u, 1 < u < r 
satisfy u(p m — l) = —1 (modr). Then rv = 1 (modp m — 1), where v = \p m ujr\. Ln addition, 
if m > k, then v = a + bJ^jZoP* 1 *, a,b < p 2k , n = \m/k\ . 

Proof. Since u(p m — 1) = —1 (modr) and 1 < u < r, we have p m u/r = [p m u/r\+(u— l)/r 
and r[p m u/r\ = 1 (rnodp™ — 1). Let z = u(p k — l)/r. Then z is an integer and z < p k — 1. 
Hence, p m u/r = p m z/(p k — 1). If m > k, then we have the following expansion 

oo n— 1 oo 

p m z/(/ - 1) = p^z^p^ = p m -~ nk z ^ + p m ~ k zj2p~ jk 

3=0 3=0 n 

Take a = \p m ~ k zY^ P~^ k \,b = p m ~ nk z . This completes the proof. 

Theorem 3. Suppose that (p m — l,r) = 1. Xet fc be the order of p modulo r. If m > k, 
then the complexity of taking rth roots of 5 in F p ™ is 0((logm + k \ogp)m logp). 

Proof. Given 5 G F p m, clearly, 5 r 1 is a root of X r = 5 if (p m — l,r) = 1, where r _1 is 
the inverse of r modulo p m — 1. 

By Lemma 3, if m > A;, then r" 1 = a + &X)j=o P 7 '* (modp m — 1), a, 6 < p 2k , n = [wi/fcj . 
Raising to the power Y^ZoP^ k takes O(logn) multiplications and raisings to powers of p. 
The raising to the power a takes 0(k logp) multiplications due to the bound on the exponent. 
So does the raising to the power b. The total computation cost is therefore C(log m + k logp) 
operations of complexity 0(m logp) (if directly using the form r _1 = n (p it takes time 

0(m 2 \og 2 p)). This completes the proof. 
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4.2 Taking rth roots when r is not invertible 

We now discuss the problem to take rth roots OV6P r T) m 

if r || p m — 1, where p is a prime. 

Lemma 4. Suppose that r \ \p rn — 1. Let fc &e £/te order o/p modulo r. Let u,l < u < r 
satisfy u(p m — l)/r = — l(modr) and v = \p m u/r 2 ~\. Then rv = 1 (mod (p m — l)/r). In 
addition, if m > kr, then v = a + b Y^jZo V* kr , a,b < p 2kr , n = [m/kr\ . 

Proof. Since u(p m — l)/r = — 1 (modr) and 1 < u < r, we have p m u/r 2 = \p m u/r 2 ~\ + 
(u — r)/r 2 and r[p m ii/r 2 ] = 1 (mod (p m — l)/r). Let z = u(p kr — l)/r 2 . Then z is an integer 
and z < p kr — 1. Hence, p m u/r 2 = p m z/(p kr — 1). If m > fcr, then we have the following 
expansion 

oo n— 1 oo 

p m z/(p kr - 1) = p m - fcr 2^p--' fcr = p m - nfcr 2 ^ p?' fcr + p m ~ fc ^^p"i^ 

3=0 3=0 n 

Take a = [p m - kr z Y.n P~ jkr \ ,b = p m - nkr z. This completes the proof. 

Theorem 4. Suppose that r ||p m — 1. Let k be the order ofp modulo r. Ifm> kr, then one 
can compute the rth root of 5 in F p m, or show it does not exist, in C((log m + kr log p)m log p) 
steps. 

Proof. Given 5 G F p m, we have o" pm_1 = 1. If r ||p m — 1 and o~( pm-1 )/ r = 1, then there 
exists an integer v such that p ~ 1 \vr — 1 and (5 v ) r = 6. Hence, it suffices to compute the 
inverse of r modulo p ~ l . 

r 

By Lemma 4, if m > kr, r~ l = v = a + bJ2]ZoP jkr (mod (p m - l)/r),a, b < p 2kr ,n = 
[m/kr\, Since raising to the power Y^ZqP'^ takes O(logn) multiplications and raisings 
to powers of p. Raising to the power a takes 0{kr\ogp) multiplications due to the bound 
on the exponent. So does raising to the power b. The cost of raising to v is therefore 
C(logm + kr log p) operations of complexity O(mlogp). To check that p = S v is a correct 
root, we compute p r with cost 0(mlogr logp). If S is a rth power, then p r = 5, otherwise 
p r is not equal to 5. The total computation cost is therefore C((logm + kr log p)m log p) (if 
directly using the form r~ l = u ^ p , it takes time 0(m 2 log 2 p)). This completes the 

proof. 
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5 Conclusion 



In this paper, we analyze and extend the Barreto-Voloch method to compute rth roots over 
finite fields. We specify the conditions that the Barreto-Voloch algorithm can be preferably 
applied. We also give a formal complexity analysis of the method. 

Acknowledgements This work is supported by the National Natural Science Foundation 
of China (Project 60873227), and the Key Disciplines of Shanghai Municipality (S30104). 



References 

[1] Adlcman L., Manders K., Miller G.: On Taking Roots in Finite Fields. In: Proceedings of the 
18th IEEE Symposium on Foundations of Computer Science, pp. 175-177. IEEE Press, New York 
(1977) 

[2] Barreto P., Voloch J.: Efficient Computation of Roots in Finite Fields. Designs, Codes and 
Cryptography, 39, 275-280 (2006) 

[3] Boneh D. , Boycn X., Shacham H.: Short Group Signatures. In: M. Franklin (ed.) CRYPTO 
2004. LNCS, vol. 3152, pp. 41-55. Springer, Heidelberg (2004) 

[4] Boneh D., Franklin M.: Identity-based Encryption from the Weil Pairing, SIAM J. Computing. 
32(3), 586-615 (2003) 

[5] Gao S., Gathen J., Panario D., Shoup V.: Algorithms for Exponentiation in Finite Fields, J. 
Symbolic Computation. 29, 879-889 (2000) 

[6] Gathen J., Gerhard J.: Modern Computer Algebra, 2nd ed., Cambridge University Press (2003) 

[7] Shanks D.: Five Number-theoretic Algorithms. In: Proc. 2nd Manitoba Conf., pp. 51-70. Numer. 
Math. (1972) 

[8] Shoup V.: A Computational Introduction to Number Theory and Algebra. Cambridge University 
Press (2005) 

[9] Smart N.: An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing. 
Electronics Letters, 38, 630-632 (2002) . 

[10] Tonelli A.: Bemerkungiiber die Auflosung quadratischer Congruenzen, Nachrichtcn dcr 
Akademie der Wissenschaftcn in Gottingen. 344-346 (1891) 



7 



